Enterprise Network File Storage: Managing your Andrew File System (AFS) Directories
Your personal AFS space at the University of Pittsburgh includes a home directory. Inside your home directory are two additional directories: a public directory and a private directory. Directories are similar to folders and are used to store files. By default, any files that you save in the home directory or the public directory can be accessed by others. The files that you save in the private directory can only be accessed by you. In addition to these directories, your AFS space may contain other directories that you have created or that were created by software programs (for example, the PINE email client).
AFS can be a useful way to store and share files with other members of the University community. It is important to remember,though, that any files you save on AFS can be accessed by others unless you do one of two things: 1) store them in your private directory, or 2) restrict the permissions on other directories to make them private.
This help sheet explains how to review your AFS directories to determine if others have access to them, and how to restrict access to those directories that you would like to keep private.
Review Your AFS Directories
Your AFS disk space may be accessed either by mounting the AFS volume using AFS client software or through the University's Unix Timesharing Service. More information about AFS clients is available at http://www.openafs.org. For the sake of simplicity, this document describes how to check the permissions on files in your AFS disk space through the Unix Timesharing Service.
1. Use an SSH client like PuTTY to open a secure connection to unixs.cssd.pitt.edu. Detailed instructions are available on our Unix Timesharing page.
2. Log in with your University Computing Account username and password. The Unix Timesharing Service login screen will display.
List Your AFS Directories
To list the directories in your AFS space, type ls -l at the command line prompt and press Enter. A list of your directories displays. In the screen shot below, four directories are listed for the Pitt user jdoe.
Check Permissions on Your AFS Directories
To check the permissions on each directory, type fs listacldirectory at the command prompt, where directory is replaced by the directory name.
For example, to check the permissions on the documents directory, type fs listacl documents. The directory permissions will display below the Normal rights: heading.
There are seven access rights, represented by the following letters: (r) read, (l) lookup, (i) insert, (d) delete, (w) write, (k) lock, and (a) administer. In the example above, the line jdoe rlidwka indicates that the owner of the account, jdoe, has full access to the directory named documents. The line system:anyuser l indicates that any user with access to AFS (either at the University of Pittsburgh, or at other institutions using AFS) has "lookup" rights to the directory named documents. Therefore, any files that jdoe stores in the documents directory can be looked up by other users, but they cannot be read. For others to read the files, the (r) permission would need to be set as well.
Check the permissions for each of your directories using the fs listacl directory command. If a letter or several letters display after system:anyuser, then other users have access to that directory. If system:anyuser does not display at all, or if system:anyuser none displays, then the directory is private and only you can access it.
Restrict AFS Directories That You Want to Keep Private
After you have checked permissions on your AFS directories, you have three options to protect individual files that you do not want other users to be able to access:
1. Delete the file using the rm filename command, where filename is the name of the file you want to delete
2. Move the file into your private directory or another protected directory using the mv filename destination command, where filename is the name of the file you want to move and destination is the directory into which you want to move the file.
3. Change the access permissions on the directory so that no one can access the files in it except you.
To access permissions on a directory, complete the following steps:
1. Type the command chmod 700 directory, where directory is the name of the directory you want to restrict. The chmod command is an abbreviation of "change mode" and allows you to alter permissions (i.e., modes) on directories. In the example below, user jdoe is running the command on the test directory.
Note: For more information on the chmod command, type man chmod at the command prompt.
2. Next, type the command fs setacl -dir directory -acl system:anyuser none, where directory is the name of the directory you want to restrict. This will set permissions on the directory so that other users have no access to it. In the example below, user jdoe is running the command on the test directory.
3. Verify that the permissions on the directory have been restricted by running the command fs listacl directory, where directory is the name of the directory you want to check. In the example below, the user is checking the test directory.
4. Confirm that system:anyuser does not display at all under the Normal rights: heading, or that system:anyuser none displays under the Normal rights: heading. The screen shot above confirms that only the user jdoe has access rights to the folder named test.